Uploaded image for project: 'Tika'
  1. Tika
  2. TIKA-1322

XML file parse errors within archives trigger Zip bomb detection

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.5
    • Fix Version/s: 1.6
    • Component/s: parser
    • Labels:
      None

      Description

      Tika parses XML input using org.apache.tika.parser.xml.XMLParser. XMLParser opens a "p" tag before a SAXParser's output of the input XML is appended. A possible SAXException during parsing is rethrown but the opened "p" tag not closed. The Zip bomb detection in SecureContentHandler relies on consistent starting and closing of elements. With the current behaviour of XMLParser it will be triggered, for example, if an archive contains 10 (SecureContentHandler#maxPackageEntryDepth) invalid XML files.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              mkrio Matthias Krueger
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: